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(54) A method and system for preventing impersonation of a database user 



(57) A method for preventing an administrator im- 
personating a user of a relational database, which da- 
tabase at least comprises a table with at least a user 
password, wherein said password is stored as a hash 
value. The method comprises the steps of: adding a trig- 
ger to said table, said trigger at feast triggering an action 



when an administrator alters said table through the da- 
tabase management system (DBMS) of said database; 
calculating a new password hash value differing from 
said stored password hash value when said trigger is 
triggered; and replacing said stored password hash val- 
ue with said new password hash value. 
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Description 

Field of invention 

[0001] The present invention relates to a method and 
a system for preventing an administrator of a relational 
database impersonating a user. 

Background of the invention 

[0002] In order to protect information stored in a da- 
tabase, it is known to store sensitive data encrypted in 
the database. To access such encrypted data you have 
to decrypt it, which could only be done by knowing the 
encryption algorithm and the specific decryption key be- 
ing used. The access to the decryption keys could be 
limited to certain users of the database system, and fur- 
ther, different users could be given different access 
rights. 

[0003] Specifically, it is preferred to use a so-called 
granular security solution for the encryption of databas- 
es, instead of building walls around servers or hard 
drives. In such a solution, which is described in the doc- 
ument WO 97/4921 1 by the same applicant, a protective 
layer of encryption is provided around specific sensitive 
data-items or objects. This prevents outside attacks as 
well as infiltration from within the server itself. This also 
allows the system administrator to define which data 
stored in databases are sensitive and thereby focusing 
the protection only on the sensitive data, which in turn 
minimizes the delays or burdens on the system that may 
occur from other bulk encryption methods. 
[0004] Most preferably the encryption is made on 
such a basic level as in the column ievel of the databas- 
es. Encryption of whole files, tables or databases is not 
so granular, and does thus encrypt even non-sensitive 
data. It is further possible to assign different encryption 
keys of the same algorithm to different data columns. 
With multiple keys in place, intruders are prevented from 
gaining full access to any database since a different key 
could protect each column of encrypted data. 
[0005] In the above mentioned solutions the system 
administrator is responsible for setting the user permis- 
sions. Thus, for a commercial database, the system ad- 
ministrator operates through a middle-ware, the access 
control system (ACS), which serve for authentication, 
encryption and decryption. The ACS is tightly coupled 
to the database management system (DBMS) of the da- 
tabase. The ACS controls access In real-time to the pro- 
tected elements of the database. 
[0006] Such a security solution provides separation of 
the duties of a security administrator from a database 
administrator (DBA). The DBA's role could for example 
be to perform usual DBA tasks, such as extending ta- 
blespaces etc, without being able to see (decrypt) sen- 
sitive data. The SA could then administer privileges and 
permissions, for instance add or delete users. 
[0007] For most commercial databases, the database 



administrator has privileges to access the database and 
perform most functions, such as changing password of 
the database users, independent of the settings by the 
system administrator. An administrator with root privi- 
5 leges could also have full access to the database. This 
is an opening for an attack where the DBA can steal all 
the protected data without any knowledge of the protec- 
tion system above. The attack is in this case based on 
that the DBA impersonates another user by manipulat- 
10 ing that users password, even though the user's pass- 
word is enciphered by a hash algorithm. An attack could 
proceed as follows. First the DBA logs in as himself, then 
the DBA reads the hash value of the users password 
and stores this separately. Preferably the DBA also cop- 
's ies all other relevant user data. By these actions the 
DBA has created a snapshot of the user before any al- 
tering. Then the DBA executes the command "ALTER 
USER usemame IDENTIFIED BY newpassword". The 
next step is to log in under the user name "usemame" 
20 with the password "newpassword" in a new session. 
The DBA then resets the user's password and other rel- 
evant user data with the previously stored hash value. 
[0008] Thus, it is important to further separate the 
DBA's and the SA's privileges. For instance, if services 
^5 are outsourced, the owner of the database contents may 
trust a vendor to administer the database. Then the role 
of the DBA belongs to an external person, while the im- 
portant SA role is kept within the company, often at a 
high management level. Thus, there is a need for pre- 
30 venting a DBA to impersonate a user in a attempt to gain 
access to the contents of the database. 

Object of the invention 

35 [0009] It is therefore an object of the present invention 
to provide a method and a system for preventing an ad- 
ministrator impersonating a user of a relational data- 
base overcoming the above mentioned problems. 
[001 0] The object is achieved by a method and a sys- 
*o tern according to the appended claims. 

Summary of the invention 

[0011] According to the invention a method for pre- 
45 venting an administrator impersonating a user of a rela- 
tional database, which database at least comprises a 
table with at least a user password, wherein said pass- 
word is stored as a hash value, said method comprises 
the steps of: 

50 

adding a trigger to said table, said trigger at least 
triggering an action when an administrator alters 
said table through the database management sys- 
tem (DBMS) of said database; 
55 calculating a new password hash value differing 
from said stored password hash value when said 
trigger Is triggered; 

replacing said stored password hash value with 
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said new password hash vatue. 

[0012] Hereby, a method is provided, which over- 
comes the above mentioned problems. With such a 
method the database administrator (DBA) can not im- 
personate a user. Impersonation means that the DBA 
steals the identity of an user, and is able to act in the 
name of the user, preferably while the user Is unaware 
of the Impersonation. Even though the DBA still can read 
the encrypted password and replace it, the attempt to 
impersonate a user will be detected and measures can 
be taken. 

[0013] Preferably, the method comprises the further 
steps of: 

calculating a control value of said trigger, such as a 
hash value; and 

comparing the said trigger at the startup and at reg- 
ular intervals with a recalculated control value. With 
these additional steps the DBA can not even try to 
modify the trigger and thereby manipulate the im- 
personation prevention method. 

[001 4] With the method above the intrusion is detect- 
ed when a user tries to log in, since the hash value of 
the users password will not match. In order to detect in- 
trusion earlier the method can preferably comprise the 
further step of comparing for each active user having 
access to sensitive data, the hash value of the current 
login password with the currently stored password hash 
value, whereby said step is performed after every 
change of the database content by said user. 
[0015] In one embodiment, the trigger comprises 
means for reading a log of actions on said database, 
means for identifying commands for altering of user 
passwords in said log and means for identifying which 
user passwords that have been changed. Preferably the 
trigger is a daemon process. 

[0016] Also according to the invention a impersona- 
tion prevention system for a relational database pre- 
venting an administrator Impersonating another user, 
which database at least comprises a table with at least 
a user password, wherein said password is stored as a 
hash value, said system comprises: 

calculation means for calculating a hash value of a 
user password; 

trigger means, which trigger at least said calculation 
means for calculation of a new hash value of said 
password when an administrator alters said table 
through the database management system (DBMS) 
of said database; and 

replacing means for replacing said stored hash val- 
ue with said new hash value for each triggered cal- 
culation. 

[0017] Such a system will overcome the risk for a DBA 
impersonating a user with all the advantages as the 



method previously described. 

Brief description of the drawing 

5 [0018] For exemplifying purposes, the invention will 
be described to embodiments thereof Illustrated in the 
attached drawing, wherein: 

Fig. 1 is a schematic view of a system according to 
10 the invention; and 

Fig. 2 is a flow-chart illustrating a method according 
to the invention. 

Description of preferred embodiments 

15 

[0019] Referring to fig. 1 , a schematic view of the com- 
ponents in a granular protection system of a database 
are shown. The central repository of the data is the da- 
tabase. In this case it is a relational database. An exam- 

20 pie of such a database is OracleS® , manufactured and 
sold by Oracle Corporation, USA. The data is stored in 
tables, which are interrelated with each other and the 
tables comprises columns and rows. The database can 
also hold other information such as information about 

25 the structure of the tables, data types of the data ele- 
ments, constraints on contents in columns, user data 
such as password, etc. The database is operated 
through a database management system (DBMS). A 
DBMS is imposed upon the data to form a logical and 

30 structured organization of the data. A DBMS lies, be- 
tween the physical storage of data and the users and 
handles the interaction between the two. 
, [0020] An user normally does not operate the DBMS 
directly, the user uses an application which In turn op- 

35 erates with the DBMS. Maintenance work is performed 
by a database administrator (DBA), which connect di- 
rect to the DBMS. An administrator is a role with certain 
privileges given to a person, i.e. a special kind of user 
For instance, the privileges can include allowance to 

40 add new users or read data, and normally the adminis- 
trator is allowed to unrestricted use of the database. 
Thus, an administrator is allowed to manipulate data, 
manage users and other operating tasks of a database. 
A user, in contrast to an administrator, is normally only 

45 allowed to manipulate the actual data in the database, 
and often only some of the data. Which data an user can 
manipulate is regulated by the users permissions, which 
are set by the administrator. 

[0021 ] In order to protect the data in the database an 
so access control system (ACS) interacts with the DBMS 
in order to protect data from being exposed to users 
without the necessary rights. The access control system 
in the preferred embodiment could for instance be the 
commercially available system "Secure.Data", a system 
55 provided by the applicant. The ACS provide encryption 
and decryption of data, authentication of users and pro- 
vides means for the security administrator (SA) to pro- 
vide different users or user groups with different privi- 
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leges to access data. The SA has the role of defining 
who gains access to which data. 
[0022] Thus, an user accesses the database through 
an application, which in turn uses the DBMS to access 
the database. During the access, the ACS interacts in 
real time with the DBMS to permit or deny the access 
attempt. But, a DBA will always have access to the da- 
tabase. However, in order to protect the information for 
the DBA, sensitive data is encrypted by the ACS. But, 
there is risk that the DBA would impersonate an user in 
order to gain access to decrypted data. This is as de- 
scribed prevented by a system and a method according 
to the invention. Such a system according to a preferred 
embodiment will now be described. 
[0023] The system provides calculation means for 
calculating a hash value of a user password. The first 
time a user is created by the SA, the SA gives the user 
a user name and a user password. The user name and 
password is stored in the database. In order to not reveal 
the password to for example a DBA, the password is 
stored as a hash value. The calculation means is pref- 
erably implemented in the ACS. 
[0024] The system further comprises trigger means 
for triggering the calculation means for calculation of a 
new hash value. The trigger means survey the actions 
of a administrator and triggers an action when the ad- 
ministrator attempts to change the password of a user 
through the DBMS. Then the calculation means are trig- 
gered and a new hash value is calculated. 
[0025] Referring to fig. 2, a preferred embodiment of 
a method according to the invention will now be de- 
scribed. Initially, when the SA creates a new user or 
changes the password of a user, the hash value of the 
password will be stored in a' table. In a first step S1, a 
trigger is added to the table where user passwords are 
stored. The trigger triggers an action as soon as a da- 
tabase administrator alters the table. Preferably the trig- 
ger is implemented in the DBMS data language. The 
trigger could register each occasion an alter is made on 
the table, and preferably separate those alters that con- 
cern user passwords. Another possibility is to read the 
log or cache of the DBMS and search for altering state- 
ments. The trigger function could be implemented as a 
daemon process. 

[0026] In another step, S2, depending on if a trigger 
has been fired, a new hash value of the same password 
is calculated. The new hash value differs from the pre- 
viously stored hash value. This hash algorithm is not ac- 
cessible by the DBA and is preferably executed within 
the ACS. 

[0027] Then the new calculated hash value replaces 
the stored hash value in a step S3. 
[0028] In another embodiment of the method accord- 
ing to the Invention the integrity of the trigger is also 
checked at regular intervals. Otherwise, the DBA could 
deactivate the trigger temporarily in order to imperson- 
ate a user without being discovered. Therefore a snap- 
shot is preferably created of the trigger. This could be 



done by creating a checksum or a hash value of the trig- 
ger which could be stored separately or in conjunction 
with the trigger. 

[0029] The DBA attack will be discovered either when 
5 a user logs in or during the attempt. If the hash value of 
a user password is compared with the stored hash value 
and the comparison results in a mismatch, the user will 
not be able to log in. But, preferably after every action 
by a user, which has access to sensitive data, the hash 
10 value of the users login password should be compared 
with the stored password. In that way the DBA attack 
will be discovered sooner. 

[0030] The invention has been described above in 
terms of a preferred embodiment. However, the scope 

'5 of this invention should not be limited by this embodi- 
ment, and alternative embodiments of the invention are 
feasible, as should be appreciated by a person skilled 
in the art. For example, it is not necessary to use a hash 
algorithm for enciphering the password, instead a sym- 

20 metrical or an asymmetrical encryption algorithm could 
be used. 

[0031] Such embodiments should be considered to 
be within the scope of the invention, as it is defined by 
the appended claims. 



Claims 

A method for preventing an administrator to imper- 
sonate a user of a relational database, which data- 
base at least comprises one table with at least one 
user password, which password is used for logging 
on to said database, wherein said password is 
stored as a hash value, said method comprising the 
steps of: 

adding a trigger to said table, said trigger at 
least triggering an action when an administrator 
alters said table through a database manage- 
ment system (DBMS) for said database; 
calculating a new password hash value differ- 
ing from said stored password hash value when 
said trigger is triggered; and 
replacing said stored password hash value with 
said new password hash value. 

2. A method according to claim 1 , comprising the fur- 
ther steps of: 

calculating a check value of said trigger, such 
as a hash value; and 

comparing said trigger control value at the star- 
tup and at regular intervals with a recalculated 
check value. 

3. A method according to claim 1 or 2, comprising the 
further step of comparing for each active user hav- 
ing access to sensitive data, the hash value of the 
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current login password with the hash value of the 
currency stored password. 

A method according to claim 3, wherein the further 
step of comparing is performed after every change 5 
of the database content by said user. 

A method according to any of the preceding claims, 
wherein said trigger comprises means for reading 
a log of actions on said database, means for iden- 1 o 
tlfying commands for altering user passwords in 
said log and means for identifying which user pass- 
words that have been changed. 

A relational database system for preventing an ad- « 
ministrator impersonating another user, which da- 
tabase at least comprises one table with at least one 
user password, wherein said password is stored as 
a hash value, said system comprising: 

20 

calculation means for calculating a hash value 
of a user password, which calculation means is 
not accessible by said administrator; 
trigger means, which trigger at least said calcu- 
lation means for calculation of a new hash value & 
of said password when an administrator alters 
said table through a database management 
system (DBMS) of said database; and 
replacing means for replacing said stored hash 
value with said new hash value for each trig- 30 
gered calculation. 
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